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Computer crime has been called computer crime investigators. The re- 

by various names: Computer abuse, search is based on an analysis of corn- 

computer fraud, computer-related puter systems to determine the areas 

crime, and automatic data processing of vulnerability and the methods of 

(ADP) crime. Regardless of the terms penetration. 

used to describe computer crime, it is A typical computer system uses 

where the “big money” is today in programs (instructions) to enter data 

white-collar crime, with corporate com- (alphabetic or numeric material) via an 
puter crime losses averaging $621, 000 1 input device to a central processing 

per incident. unit (CPU), where the data is proc- 

Law enforcement officers can be essed and output produced, which ulti- 

trained to investigate competently, pro- mately becomes information. It is this 

fessionally, and successfully 93 per- flow, input/processing-output, that is 

cent of all computer crimes, and to basic to all computer systems. To fa- 

recognize the level of technical exper- cilitate this flow, there must be some 

tise required in a consultant to solve form of auxiliary storage (magnetic disk 

the remaining 7 percent, as will be and/or tape), a console unit (which 

demonstrated. allows communication between the 

The Economic and Financial CPU and the computer operator), and 

Crimes Training Unit of the FBI Train- terminals (which allow remote access 

ing Division has conducted extensive to Ihe computer system). The unshad- 

research into the training needs of ed portion of figure 1 illustrates this 

computer system. 

Areas of Vulnerability 

The shaded portions of figure 1 
represent the areas of vulnerability in a 
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computer system. As is evident, input 
can be altered; computer programs 
can be altered or created; CPU’s can 
be misused; data contained in auxiliary 
storage files can be added to, 
changed, or deleted from; output can 
be altered; operating systems can be 
modified to allow perpetrators control 
of the computer; and computer com- 
munications can be intercepted or al- 
tered. 

Computer Crime Schemes 

The areas of vulnerability identi- 
fied in figure 1 can be considered as 
computer crime schemes and can then 
be ranked according to the technical 
difficulty required to commit the crime. 
In ascending difficulty, the ranking is: 

1. Input/output alteration, 

2. Computer operations, 

3. Computer programs, 

4. Auxiliary storage manipulation, 

5. Operating system penetration, and 

6. Computer communications. 

The alteration of input/output 
would be the least technically difficult 
scheme used to commit a crime, while 
the interception or alteration of com- 
puter communications is the most 
technically difficult crime scheme. By 


Figure 1 . Today's computer systems are totally vulnerable 


analyzing these schemes in terms of 
technical capabilities, computer crime 
suspects can be developed. 

Computer Crime Suspects 

Within any data processing organi- 
zation there are only four basic func- 
tions performed: (1) Data entry, (2) 
machine operations, (3) application 
programing, and (4) systems analysis. 
Computer personnel are assigned to 
work in one of these four basic func- 
tions depending on education 


“Law enforcement officers 
can be trained to 
investigate competently, 
professionally, and 
successfully 93 percent of 
all computer crimes . . .” 

level, experience level, needs of the 
organization, and other miscellaneous 
factors. The data entry function is the 
least skilled area with the greatest 
number of persons assigned and the 
systems analysis is the most skilled 
area with the least number of persons 
assigned. It is these identifiable skill 


levels, or personnel capabilities, that 
allow computer crime suspects to be 
developed. As illustrated in figure 2, 
personnel having systems analyst 
capabilities are capable of perpetrating 
crimes in the most sophisticated 
scheme levels, computer communica- 
tions, and operating system penetra- 
tion. 

The process of being able to iden- 
tify the crime as occurring in either 
crime scheme 5 (operating system 
penetration) or crime scheme 6 (com- 
puter communications) assists the in- 
vestigator in developing suspects and 
narrowing the scope of the investiga- 
tion. At these levels, only the more 
skilled personnel will have the techni- 
cal ability to commit crimes. The more 
skilled the job function, the fewer the 
number of personnel capable of per- 
forming that job. If the crime scheme is 
identified as a computer program, then 
figure 2 shows that the suspects are 
programers and systems analysts. Per- 
sonnel in both functions possess this 
technical capability. Investigators iden- 
tifying crime schemes in the 
input/output alteration level have a 
broad range of suspects. Figure 2 
points out that not only data entry per- 
sonnel are technically capable of crimi- 
nal activity at this level, but also 
everyone else in the organization with 
that technical capability. It is important 
then for the investigator to be able to 
recognize the highest technical level at 
which the scheme was perpetrated in 
order to narrow the scope of the inves- 
tigation. Investigators must be trained 
not only in how to investigate computer 
crimes, but also in how to recognize 
the type of scheme used. 

Training Levels 

The training needs of the com- 
puter crime investigator can be stated 
in terms of three training levels: (1) An 
awareness level, (2) a comprehensive 
level, and (3) a specialist level. Figure 
3 illustrates that these training levels 
can be applied to the schemes of com- 
puter crime to determine the level of 
training needed by the investigator to 
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FEDERAL BUREAU OF INVESTIGATION 
INVESTIGATIVE TECHNIQUES 
OF 

COMPUTER-RELATED CRIMES 


I. General Information 

This course is four weeks in length and is conducted at 
the FBI Academy in Quantico, Virginia 22135, (703) 640-6131. 

The entire curriculum is centered around the investigations 
of automated financial record systems. A live banking application consisting 
of Demand Deposits, Installment Loans, Savings, and Certificates of 
Deposits is used as the data base. To give the student a realistic approacn, 
frauds have been purposely built into the system, each requiring various 
degrees of sophistication to investigate. Although the course is banking 
oriented, the concepts learned can be applied to other computer -related 
crimes, as well as the use of the computer in case investigations. Much 
"hands-on” experience is emphasized. 

n. Course Objectives 

1. To provide the investigator with sufficient competence in the methods 
and techniques of investigating in an EDP environment to conduct the 
investigation professionally. 

2. To provide the investigator with an in-depth and specific understanding 
of computer facilities, organization, documentation, controls, security 
measures, and computer audit techniques. 

3. To provide the investigator with techniques which can be used for the 
successful investigation of computer-related crimes. 

TTT , Course Schedule 

1st Week 

Introduction to Data Processing; Coding Schemes; Computer 
Operations; Card Utility Programming; Computer Operation Control Language; 
Data Organization; Introduction to RPG H; Programming; Computer Programming 
Problems; Computer Fraud Practical Problems; Computer Workshops. 

2nd Week 

Computer System Documentation; Magnetic Disk Storage 
and Concepts; Data File Security; Disk Utilities; Computer Programming Problems 
Computer Fraud Practical Problems; Computer Workshops. 

3rd Week 

Magnetic Disk Programming; Multiple I/O Programming; 

Computer System Documentation; Micro Computers; Teleprocessing; Data 
Communications; Computer Systems Vulnerability; Computer Programming 
Problems; Computer Fraud Practical Problems; Computer Workshops. 
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4th Week 

Computer System Documentation; Computer Programming; 
Computer Core Dump; Search 'Warrant Practical Exercise; Evidence in 
Computer-Related Crimes; Advanced Computer Concepts; Computer Programming 
Problems; Computer Fraud Practical Problems; Computer Workshops. 


- 2 - 
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conduct a professional investigation. In 
addition, training programs must con- 
sider these evidence problems: 
Sources, recognition, obtaining, and 
preservation. 

The first level of training for a 
computer crime investigator is the 
awareness level, which addresses the 
least sophisticated computer crime 
schemes. As indicated in figure 3, this 
training program will provide the inves- 
tigator with the technical knowledge to 
investigate successfully computer 
crimes involving input/output alteration 
and computer operations. The source 
of evidence in cases involving 
input/output alteration is the source 
document. In cases where computer 
operations are involved, the source of 
evidence is frequently the console log. 
Since training must involve teaching 
the investigator how to obtain evi- 
dence, this level training must stress 
terminology, recognition and under- 
standing of source documents, and the 
availability of information from console 
logs. 

The second level of training, the 
comprehensive level, must concen- 
trate on computer crime schemes in- 
volving computer programs and the 


manipulation of auxiliary storage. As 
indicated in figure 3, the source of 
evidence in computer crime schemes 
involving computer programs may in 
fact be a source program and a corre- 
sponding object program. The sources 
of evidence for computer crime 
schemes involving auxiliary storage 
manipulation are found in job account- 
ing systems and system documenta- 
tion. Therefore, this comprehensive 
level training program must provide the 
investigator with the technical skills to 

. . and to 

recognize the level of 
technical expertise 
required in a consultant to 
solve the remaining 7 
percent . . . .” 

understand the complexities of com- 
puter programs, how to locate the pro- 
grams, how to distinguish between a 
source program and an object pro- 
gram, and the importance and function 
of each. 

The investigator must be able to 
obtain various types of documentation 


and be prepared to use the documen- 
tation as an investigative aid, in addi- 
tion tc being able to decipher job 
accounting logs. By its very design and 
position in the hierarchy of training lev- 
els, the comprehensive level training 
program provides the investigator with 
the technical skills to investigate com- 
puter crime schemes ranging from in- 
put/output alteration to auxiliary 
storage; manipulation. It must also ex- 
ceed this level and address the operat- 
ing system penetration and computer 
communications schemes. 

The third level of training is the 
specialist level. It is the most sophisti- 
cated training level (and rightfully so) 
since it is designed to combat the com- 
puter crime schemes involving the pen- 
etration of operating systems and the 
alteration or interception of computer 
communications. The sources of evi- 
dence in these cases are often located 
in communication logs, communication 
system documentation, or other so- 
phisticated areas. 

Computer crimes perpetrated in 
this tra ning level are so sophisticated, 
and the technology used so dynamic 
that it changes almost daily, that only 
practicing, competent computer spe- 


Figure 2 The computer crime scheme can be used to 
identity suspects by technical capability 


Figure 3. Identifying computer crime schemes can guide 
the investigator to sources of evidence, while training 
programs can focus on recognizing, obtaining, and 
preserving that evidence 
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cialists feel at ease in this area. Rather 
than design a training program to pro- 
vide the investigator with the highly 
sophisticated technical skills needed to 
investigate this level computer crime 
scheme, another approach is more 
practical. (Even if the investigator were 
trained at this level, the technical skills 
would be lost or outdated almost im- 
mediately due to the rapidly changing 
technology and the investigator’s in- 
ability to devote full time to this field.) 
During the comprehensive level train- 
ing program, the investigator can be 
made aware of the type of computer 
specialist needed to assist and consult 
in the various schemes being perpe- 
trated at the specialist level, as well as 
the sources of evidence. In this man- 
ner, the investigator can maintain con- 
trol over the case and direct the 
activities of the computer specialist. 

To determine the number of per- 
sonnel to commit to such training, 
knowledge of the distribution of cases 
and the length of such training pro- 
grams is necessary. 

Distribution of Cases 

Research conducted at the FBI 
Academy indicates that the number of 


Figure 4. Investigators can be trained to investigate suc- 
cessfully 93 percent of all computer crimes, while 
maintaining professional control over the remaining l 
percent 


occurrences of computer crime is 
greatly reduced by the degree of tech- 
nical ability required to perpetrate the 
scheme. The majority of the cases oc- 
cur in the input/output alteration level, 
while very few cases are known to 
have occurred in crime scheme 6 
(computer communications). Figure 4 
indicates that 58 percent of the detect- 
ed computer crimes occur in schemes 
1 and 2, input/output alteration and 
computer operation, respectively; 35 
percent of the cases occur in crime 
schemes 3 and 4, computer programs 
and the manipulation of auxiliary stor- 
age; and 7 percent of the cases are in 
schemes 5 and 6, operating system 
penetration and computer communica- 
tions. This distribution of cases mani- 
fests the types of training programs 
needed. 

Of these schemes, computer pro- 
graming appears to be the fastest 
growing scheme and is taking on a 
new look. In the early stages of re- 
search, it was found that legitimate 
computer programs were often later 
altered to commit a crime. More re- 
cently detected, entire computer pro- 
grams are being prepared for no other 
purpose than to commit a crime. 


Training Programs 

Training can thus be set up in 
terms of three levels of sophistication. 
An awareness-type training program, 
as taught by the Federal Bureau of 
Investigation, lasts 5 days and gives 
the investigator the technical skills 
necessary to investigate 58 percent of 
the cases (as indicated in figure 4). 
Although this is the level of the majority 
of the crimes, monetary losses are fre- 
quently insignificant or negligible. 

Quality cases or crimes involving 
large and significant monetary losses 
appear to be occurring in training level 
2, which is a comprehensive training 
level. The FBI’s comprehensive level 
training program lasts 4 weeks. The 
investigators who complete this train- 
ing program are then given refresher 
training approximately every 18 
months to maintain and update their 
technical skills. 

Through training in the awareness 
and comprehensive levels, 93 percent 
of the computer crime cases can be 
successfully, competently, and profes- 
sionally investigated (as indicated in 
figure 4). 

Those few investigators receiving 
the comprehensive training are also 
taught to recognize the crime schemes 
being perpetrated at the specialist lev- 
el. This training provides the investiga- 
tor with the technical skills to maintain 
control over and direct the investiga- 
tion, using the consulting services and 
assistance of a computer specialist. 

Training programs for investiga- 
tors of computer crimes must be care- 
fully designed and administered to 
provide the investigator with the tech- 
nical skills to investigate computer 
crimes professionally without making 
him or her a computer specialist. FBI 

Footnotes 

1 Congressional Record Proceedings and Debates of 
the 96th Congress. 1st sess., Vol 125. No 7, January 25. 
1979, p. S 726 



4 


Approved For Release 2010/11/17 : CIA-RDP87T00623R000200070037-9 

















